The "Moderate" sensitivity level for Ransomware Protection is the most appropriate setting as it provides the best balance between effective prevention of ransomware and minimizing the operational disruption caused by false positives. This level is calibrated to detect and block a wide range of malicious encryption behaviors characteristic of ransomware while being less likely to interfere with legitimate applications that perform intensive file I/O operations. It represents the standard best practice for a general-purpose endpoint security policy, aligning with the dual requirements of security and stability.

B. Disabling the prevention policy removes the primary automated defense layer, which is a critical security failure and would be ineffective against fast-acting ransomware attacks.

C. A "Low" sensitivity level may fail to detect newer or more sophisticated ransomware variants, and excluding file-sharing applications creates a significant, exploitable gap in security.

D. The "Aggressive" sensitivity level is designed for maximum detection but significantly increases the risk of false positives, which contradicts the requirement to minimize them.

1. CrowdStrike Falcon® Platform Documentation

"Host and container security: Prevention policy settings

" Section: On-sensor machine learning. This document details the different sensitivity levels for machine learning-based detections. It specifies that the "Moderate" level is the recommended default

offering a balance between detection efficacy and a low false positive rate

whereas "Aggressive" is for high-risk environments and may generate more false positives.

2. SANS Institute

"Endpoint Protection and Response: A SANS Survey" (2021)

Page 12

Section: Tuning and False Positives. While not specific to CrowdStrike

this type of industry research emphasizes the critical need for tuning endpoint protection platforms (EPP) to balance threat detection with business operations. The findings support the principle of starting with a moderate

baseline policy to avoid overwhelming security teams with false positive alerts.

3. Carnegie Mellon University

Software Engineering Institute

"Common Sense Guide to Mitigating Insider Threats

6th Edition" (CMU/SEI-2022-TR-003)

Page 68

Practice EPP.1. The guide recommends configuring endpoint protection tools with policies that are effective but not overly restrictive to avoid hindering productivity. This principle directly supports choosing a balanced setting like "Moderate" over an "Aggressive" one that is more prone to false positives.